On Wednesday, February 9, 2022 12:18:59 PM CST Carlo Di Dato via Fulldisclosure wrote: > Hi everyone, > I submittet to Facebook a DNS misconfiguration issue. Specifically, the > following URLs will be resoved as private IP addresses.
nathan:~$ dig dev.facebook.com +short intern-regional.vvv.facebook.com. 10.110.159.20 It's definitely a leak. They need to learn about BIND views, or the equivalent. --Joey > > dev.facebook.com : A [10.110.151.5] > hr.facebook.com : A [10.110.199.9] > prof.facebook.com : A [10.18.4.109] > tps.facebook.com : A [10.110.159.18] > interim.facebook.com : A [10.110.151.5] > nexus.facebook.com : A [192.168.62.201] > alf.facebook.com : A [192.168.16.27] > > It's something similar to Same Site Scripting, except the resolved URL > is not 127.0.0.1 but a private IP address. > You could use them in case of red team activies, for example. > Imagine this scenario: > > #1 - there's a public, unprotected wi-fi network > #2 - you are connected to this wi-fi network and your IP is > 192.168.16.11 > #3 - you could change you IP from 192.168.16.11 to 192.168.16.27 > #4 - you could start a web server with a fake Facebook login page or > with some malicious file > #5 - you could invite someone, within the same network, to visit > "http://alf.facebook.com"; or to download an update from > "http://alf.facebook.com/update.exe"; > > Of course, another scenario would be the one in which you create a > rogue, free wi-fi access point configured to assing 192.168.16.1/24 IPs > > Do you consider this a MITM attack? I'm not 100% sure but Facebook > stated it is. > See you! > > Cheers, > Carlo Di Dato (aka shinnai) > > _______________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ -- Joey Kelly Minister of the Gospel and Linux Consultant http://joeykelly.net 504-239-6550 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
